From edd36f9efefc361a4cd5b48f5a71dccdee7ce191 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 30 Apr 2026 01:38:04 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20XSS=20vulnerability=20in=20WebView=20data=20transfer?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: TargetMisser <52361977+TargetMisser@users.noreply.github.com>
---
 .jules/sentinel.md          |  4 ++++
 src/screens/HomeScreen.tsx  | 22 +++++++++++++---------
 src/screens/ShiftScreen.tsx | 22 +++++++++++++---------
 3 files changed, 30 insertions(+), 18 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..8a19e4d
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-01 - XSS in WebView
+**Vulnerability:** Use of `injectJavaScript` to pass user-provided base64 images to WebView in `HomeScreen.tsx` and `ShiftScreen.tsx` introduces XSS risk.
+**Learning:** React Native developers often use `injectJavaScript` with string interpolation for passing data, which can execute arbitrary JS if the string isn't sanitized perfectly. The memory correctly points out we should use `postMessage` instead.
+**Prevention:** Avoid `injectJavaScript` for data transfer. Use `postMessage` from React Native to WebView, and set up a `message` listener inside the WebView's HTML string.
diff --git a/src/screens/HomeScreen.tsx b/src/screens/HomeScreen.tsx
index 7779ce3..80be29d 100644
--- a/src/screens/HomeScreen.tsx
+++ b/src/screens/HomeScreen.tsx
@@ -35,6 +35,17 @@ const HOME_REST_TIMING = { startHour: 12, startMinute: 0, endHour: 14, endMinute
 const engineHtml = `<!DOCTYPE html><html lang="it"><head>
 <script src="https://cdn.jsdelivr.net/npm/tesseract.js@5/dist/tesseract.min.js"></script></head>
 <body style="background-color:transparent;"><script>
+document.addEventListener("message", function(event) {
+  if (window.runTesseract && event.data) {
+    window.runTesseract(event.data);
+  }
+});
+window.addEventListener("message", function(event) {
+  if (window.runTesseract && event.data) {
+    window.runTesseract(event.data);
+  }
+});
+
 window.runTesseract = async function(base64JsonStr) {
   try {
     const images = JSON.parse(base64JsonStr);
@@ -283,15 +294,8 @@ export default function HomeScreen({ isFocused }: { isFocused?: boolean }) {
         setProcessing(true); setOcrText('');
         const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`);
         const base64Json = JSON.stringify(base64List);
-        // Use postMessage pattern to avoid script-injection risks with injectJavaScript
-        webViewRef.current?.injectJavaScript(`
-          if(window.runTesseract){
-            window.runTesseract(${JSON.stringify(base64Json)});
-          } else {
-            window.ReactNativeWebView.postMessage(JSON.stringify({success:false,error:'OCR non pronto'}));
-          }
-          true;
-        `);
+                // Use postMessage pattern to avoid script-injection risks with injectJavaScript
+        webViewRef.current?.postMessage(base64Json);
       }
     } catch (e) { if (__DEV__) console.error('[imagePicker]', e); setProcessing(false); }
   };
diff --git a/src/screens/ShiftScreen.tsx b/src/screens/ShiftScreen.tsx
index 128e708..34e5b19 100644
--- a/src/screens/ShiftScreen.tsx
+++ b/src/screens/ShiftScreen.tsx
@@ -34,15 +34,8 @@ export default function ShiftScreen() {
         const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`);
         const base64Json = JSON.stringify(base64List).replace(/'/g, "\\'");
         
-        const jsCode = `
-          if (window.runTesseract) {
-            window.runTesseract('${base64Json}');
-          } else {
-            window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." }));
-          }
-          true;
-        `;
-        webViewRef.current?.injectJavaScript(jsCode);
+        // Use postMessage pattern to avoid script-injection risks with injectJavaScript
+        webViewRef.current?.postMessage(base64Json);
       }
     } catch (e) {
       Alert.alert("Errore OCR", "Impossibile elaborare l'immagine.");
@@ -217,6 +210,17 @@ export default function ShiftScreen() {
     </head>
     <body style="background-color: transparent;">
       <script>
+        document.addEventListener("message", function(event) {
+          if (window.runTesseract && event.data) {
+            window.runTesseract(event.data);
+          }
+        });
+        window.addEventListener("message", function(event) {
+          if (window.runTesseract && event.data) {
+            window.runTesseract(event.data);
+          }
+        });
+
         window.runTesseract = async function(base64JsonStr) {
           try {
             const images = JSON.parse(base64JsonStr);